Apple Patches 3 iOS Flaws Hackers May Be Actively Exploiting

Apple’s description of the iOS vulnerabilities suggests the hackers have been chaining them together to spread malware to victims.

By Michael Kan

Apple is warning that hackers may be exploiting three bugs in iOS to take over iPhones.

On Tuesday, the company released an emergency patch after learning about the flaws from an anonymous security researcher. “Apple is aware of a report that this issue may have been actively exploited,” it says.

Details on the vulnerabilities remain scant. But the first two flaws, CVE-2021–1870 and CVE-2021–1871, involve Webkit, the browser engine in Safari and iOS’s Mail application. According to Apple, a “logic issue” can be abused to cause Webkit to execute computer code. This suggests the vulnerability can pave the way for a hacker-crafted email or website to trigger an iPhone to download a malicious app.

The third flaw, CVE-2021–1782, deals with iOS’s kernel, which controls the major interactions behind the operating system. A bug in how the kernel executes operations can enable a malicious iOS app to gain additional privileges.

The company’s description of each flaw suggests hackers have been chaining the vulnerabilities together to spread malware to victims. According to Apple, the flaws affect iPhones going back to 6s and iPads stretching to the iPad Air 2 and iPad mini 4.

Patches will arrive with iOS 14.4 and iPadOS 14.4. To update your iPhone, go to Settings > General > Software Update. The device can also update automatically if you’ve toggled on automatic updates.

Apple’s support document on the vulnerabilities says the company will provide additional details soon. But we wouldn’t be surprised if the attacks came from a state-sponsored hacking group seeking to spy on high-value targets. (In November, Google security researchers also uncovered a separate trio of iOS flaws that were also under active exploitation.)

Originally published at https://www.pcmag.com.